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AMENDMENTS TO THE CLAIMS : 

This listing of claims will replace all prior versions, 
and listings, of claims in the application: 

LISTING OF CLAIMS : 

1. (original) An attack defending system provided at 
an interface between an internal network and an external network, 
comprising a decoy device and a firewall device, wherein the 
firewall device inputs an input IP packet from the external 
network and forwards it to one of the decoy device and the 
internal network, wherein 

the decoy device comprises: 
an attack detector for detecting presence or absence of an 
attack by executing a service process for the input IP packet 
transferred from the firewall device, and 
the firewall device comprises: 
a packet filter for determining whether the input IP packet 
inputted from the external network is to be accepted, based on 
header information of the input IP packet and a filtering 
condition corresponding to the input IP packet; 

a destination selector for selecting one of the internal 
network and the decoy device as a destination of the input IP 
packet accepted by the packet filter, based on the header 
information of the input IP packet and a distribution condition; 
and 
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a filtering condition manager for managing the filtering 
condition depending on whether the attack detector detects an 
attack based on the input IP packet forwarded to the decoy 
device . 

2. (original) The attack defending system according to 
claim 1, wherein the header information of an input IP packet 
includes at least one of a source IP address and a destination IP 
address thereof, 

wherein the destination selector selects a destination 
of the input IP packet depending on whether the header 
information of the input IP packet satisfies the distribution 
condition . 

3. (original) The attack defending system according to 
claim 1, wherein the destination selector comprises a memory for 
storing as the distribution condition a guiding list containing a 
set of IP addresses unused in the internal network, wherein the 
destination selector selects the decoy device when a destination 
IP address of the input IP packet matches an unused IP address 
contained in the guiding list. 

4. (original) The attack defending system according to 
claim 1, wherein the destination selector comprises: 

a packet buffer for storing input IP packets; and 
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a monitor for monitoring reception of a destination 
unreachable message after an input IP packet has been transferred 
from the packet buffer to the internal network, 

wherein, when the monitor detects the reception of the 
destination unreachable message for the input IP packet, the 
input IP packet is transferred from the packet buffer to the 
decoy device. 

5. (original) The attack defending system according to 
claim 1, wherein the firewall device further comprises: 

a distribution condition updating section for updating 
the distribution condition depending on whether the attack 
detector detects an attack based on the input IP packet 
transferred to the decoy device. 

6. (original) The attack defending system according to 
claim 1, wherein the filtering condition manager stores the 
filtering condition with a limited validity period, which 
corresponds to the header information of the input IP packet 
forwarded to the decoy device, wherein, when the limited validity 
period has elapsed, a default filtering condition is returned to 
the packet filter. 

7. (original) The attack defending system according to 
claim 1, wherein the filtering condition manager comprises: 



4 



Docket No. 8046-1041 
Appln. No. 10/643,864 

a condition generator for generating a filtering 
condition corresponding to a combination of an attack category of 
an attack detected by the attack detector and address information 
of the input IP packet; and 

a filtering condition controller for dynamically 
updating the filtering condition according to the filtering 
condition generated by the condition generator. 

8. (original) The attack defending system according to 
claim 6, wherein the filtering condition manager comprises: 

a condition generator for generating a filtering 
condition corresponding to a combination of an attack category of 
an attack detected by the attack detector and address information 
of the input IP packet; and 

a filtering condition controller for dynamically 
updating the filtering condition according to the filtering 
condition generated by the condition generator. 

9. (original) The attack defending system according to 
claim 1, wherein the decoy device comprises: 

an event memory for temporarily storing events related 
to at least network input/output, file input/output, and process 
creation/ termination; and 
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an • event manager for analyzing cause-effect relations 
of the events stored in the event memory to form links among the 
events . 

10. (original) The attack defending system according to 
claim 1, wherein the attack detector detects an attack from an 
execution status of the service process according to a rule 
having at least one of domain constraint and type constraint 
added thereto. 

11. (original) The attack defending system according to 
claim 9, wherein the attack detector detects an attack from an 
execution status of the service process according to a rule 
having at least one of domain constraint and type constraint 
added thereto. 

12. (original) The attack defending system according to 
claim 11, wherein the attack detector searches the links to 
extract at least, a generation event of a process generating an 
event to be inspected and a network reception event by which the 
event to be inspected is generated, when determination is made 
based on the domain constraint and the type constraint. 

13. (original) The attack defending system according to 
claim 1, further comprising a mirroring device for copying at 
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least a file system from a server on the internal network to the 
decoy device, wherein when an attack is detected by the decoy 
device, the mirroring device copies at least the file system from 
the server on the internal network to the decoy device. 

14-58. (canceled) 

59. (original) A firewall device connected to a decoy 
device, provided at an interface between an internal network and 
an external network, wherein the firewall device inputs an input 
IP packet from the external network and forwards it to one of the 
decoy device and the internal network, comprising: 

a packet filter for determining whether the input IP 
packet inputted from the external network is to be accepted, 
based on header information of the input IP packet and a 
filtering condition corresponding to the input IP packet; 

a destination selector for selecting one of the 
internal network and the decoy device as a destination of the 
input IP packet accepted by the packet filter, based on the 
header information of the input IP packet and a distribution 
condition; and 

a filtering condition manager for managing the 
filtering condition corresponding to the input IP packet 
forwarded to the decoy device depending on whether the attack 
detector detects an attack based on the input IP packet. 
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60-112 . (canceled) 
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